14-26
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign
rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the
smallest multiple of the step that is bigger than the current biggest number. For example, if the rule
numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing
rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of
config
. When modifying
a rule of such an ACL, you may choose to change just some of the settings, in which case the other
settings remain the same.
When the ACL match order is
auto
, a newly created rule will be inserted among the existing rules in
the depth-first match order. Note that the IDs of the rules still remain the same.
For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, the
logging
and
fragment
keywords are not supported.
Related commands:
display
acl
ipv6
.
Examples
# Create IPv6 ACL 2000 and add two rules.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule 8 deny source fe80:5060::8050/96
rule (advanced IPv6 ACL view)
Syntax
rule
[
rule-id
] {
deny
|
permit
}
protocol
[ {
established
| {
ack
ack-value
|
fin
fin-value
|
psh
psh-value
|
rst
rst-value
|
syn
syn-value
|
urg
urg-value
} * } |
destination
{
dest dest-prefix | dest/dest-prefix |
any
} |
destination-port operator port1
[
port2
] |
dscp
dscp | fragment
|
icmp6-type
{
icmp6-type
icmp6-code
|
icmp6-message
} |
logging
|
source
{
source source-prefix | source/source-prefix
|
any
}
|
source-port operator port1
[
port2
] |
time-range
time-range-name
] *
undo
rule
rule-id
[ {
established
| {
ack
|
fin
|
psh
|
rst
|
syn
|
urg
} * } |
destination
|
destination-port
|
dscp
|
fragment
|
icmpv6-type
|
logging
|
source
|
source-port
|
time-range
] *
View
Advanced IPv6 ACL view
Default Level
2: System level
Summary of Contents for E4510-48G
Page 109: ...2 18 Sysname interface bridge aggregation 1 Sysname Bridge Aggregation1 shutdown ...
Page 309: ...6 4 Sysname interface vlan interface 1 Sysname Vlan interface1 ip address dhcp alloc ...
Page 324: ...8 3 Sysname interface vlan interface 1 Sysname Vlan interface1 ip address bootp alloc ...
Page 530: ...2 5 Sysname mvlan 100 subvlan 10 to 15 ...
Page 739: ...8 15 Sysname system view Sysname port security trap addresslearned ...
Page 819: ...13 11 Sysname system view Sysname public key peer key2 import sshkey key pub ...
Page 914: ...5 17 Sysname reset oam ...
Page 1064: ...5 30 Slot 2 Set next configuration file successfully ...
Page 1325: ...21 13 Examples Redirect to member 2 Sysname irf switch to 2 Sysname Slave 2 ...